ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > LookBack, TA410

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: LookBack, TA410

NamesLookBack (Proofpoint)
TA410 (Proofpoint)
Witchetty (Symantec)
LookingFrog (ESET)
FlowingFrog (ESET)
MotivationInformation theft and espionage
First seen2019
Description(Proofpoint) Between July 19 and July 25, 2019, several spear phishing emails were identified targeting three US companies in the utilities sector. The phishing emails appeared to impersonate a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess[.]com. Nceess[.]com is believed to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. The emails contain a malicious Microsoft Word attachment that uses macros to install and run malware that Proofpoint researchers have dubbed “LookBack.” This malware consists of a remote access Trojan (RAT) module and a proxy mechanism used for command and control (C&C) communication.  We believe this may be the work of a state-sponsored APT actor based on overlaps with historical campaigns and macros utilized. The utilization of this distinct delivery methodology coupled with unique LookBack malware highlights the continuing threats posed by sophisticated adversaries to utilities systems and critical infrastructure providers.

Proofpoint found similarities in malware delivery with Stone Panda, APT 10, menuPass, but those may have been false flags.
ObservedSectors: Energy, Utilities.
Countries: USA and Middle East and Africa.
Tools usedFlowCloud, GUP Proxy Tool, SodomMain, SodomNormal.
Operations performedJul 2019At the same time as the LookBack campaigns, Proofpoint researchers identified a new, additional malware family named FlowCloud that was also being delivered to U.S. utilities providers.
Aug 2019LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs
Feb 2022Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East

Last change to this card: 29 November 2023

Download this actor card in PDF or JSON format

Previous: LockBit Gang
Next: Lotus Blossom, Spring Dragon, Thrip

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]